So, ... set up a nice secure password - made sure to use HTTPS,
indicates it has to be 6 to 14 characters, and contain at least
one letter and one digit, so I used:
nEc3Twj(ayq<Qq
Vendor then immediately emails (as part of the registration) the
password, without using encryption. Bleh.
Okay, so let's see if I update the password and the vendor hopefully
won't also email the updated password. Being sure to use HTTPS again.
I try:
kXvM*T<Pgb^9[W
but it won't let me use that, it gives me:
Password is Invalid. Must be 6-14 characters and contain at least one
letter and one number.
Well, ... it is and does, so what aren't they telling me, and how much
weaker/stupider do I have to make the password for it to be accepted?
And we wonder why typical users get frustrated and pick weak passwords
like:
a00000
which, by the way, the site tells me for that weak password,
"Password OK."
(but no, I didn't click "Submit" on that weak of a password).
So I try:
mOr0xb%IR8LTPI
and I log out and try to log in again to make sure it works.
The login doesn't work - nor does it work with the prior password I set.
Buggers - the password change input likely mangles or truncates the
password in a manner different than the login authentication.
So, ... I go through the password reset thingy - emails me a weaker password
in the clear, and I use that and try again ...
another attempt, I finally get one that's suitably strong to my
liking, is accepted, and also works when I log out and back in to
confirm they got it right.
And we wonder why users often pick weak passwords - even if they might
be somewhat inclined to pick/use better - potentially much better
ones.
And yes, I'm going to check if they have some suitable contact or the
like to let them know about their password security and validation issues.